Foreword | Cloud computing can be defined as a pool of virtualised computing resources that allows users to gain access to applications and data in a web-based environment on demand. This paper explains the various cloud architecture and usage models that exist and some of the benefits in using cloud services. It seeks to contribute to a better understanding of the emerging threat landscape created by cloud computing, with a view to identifying avenues for risk reduction. Three avenues for action are identified, in particular, the need for a culture of cyber security to be created through the development of effective public-private partnerships; the need for Australia's privacy regime to be reformed to deal with the issues created by cloud computing and the need for cyber-security researchers to find ways in which to mitigate existing and new security risks in the cloud computing environment. Cloud computing is now firmly established in the information technology landscape and its security risks need to be mapped and addressed at this critical stage in its development.
A computer's operating system, applications and data are typically installed and stored in the 'traditional' computing environment. In a cloud computing environment, individuals and businesses work with applications and data stored and/or maintained on shared machines in a web-based environment rather than physically located in the home of a user or a corporate environment. Lew Tucker, Vice President and Chief Technology Officer of Cloud Computing at Sun Microsystems, explained that cloud computing is 'the movement of application services onto the Internet and the increased use of the Internet to access a wide variety of services traditionally originating from within a company's data center' (Creeger 2009: 52). For example, web-based applications such as Google's Gmail(TM) can be accessed in real time from an Internet-connected machine anywhere in the world.
Use of cloud services creates a growing interdependence among both public and private sector entities and the individuals served by these entities. This paper provides a snapshot of risk areas specific to cloud services and those that apply more generally in an online environment which clients of cloud service providers should be aware of.
It is not clear when the term cloud computing was first coined. For example, Bartholomew (2009), Bogatin (2006) and several others suggested that 'cloud computing' terminology was, perhaps, first coined by Google(TM) Chief Executive Eric Schmidt in 2006. Kaufman (2009: 61) suggests that cbud computing terminology Originates from the telecommunications world of the 1 99Os, when providers began using virtual private network (VPN) services for data communication'. Desisto, Plummer and Smith (2008: 1) state that '[t]he first SaaS [Software as a Service] offerings were delivered in the late 1990s. .. [although these offerings weren't called cloud computing'. There is, however, agreement on the definition of cloud computing.
The National Institute of Standards and Technology defines cloud computing as
a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (eg networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction (Meli 2009: 9).
Architectures and deployment models
Cloud architectures can be broadly categorised into:
Infrastructure as a Service (laaS) is the foundation of cloud services. It provides clients with access to server hardware, storage, bandwidth and other fundamental computing resources. For example, Amazon EC2 allows individuals and businesses to rent machines preconfigured with selected operating systems on which to run their own applications.
Platform as a Service (PaaS) builds upon laaS and provides clients with access to the basic operating software and optional services to develop and use software applications (eg database access and payment service) without the need to buy and manage the underlying computing infrastructure. …